OMG!!!1 My server got hacked

It’s 2:32 in the morning. I just spent two rather unpleasant hours cleaning up after I noticed that my webspace got broken into.

So what happened? Apparently, about two days ago, the attackers exploitet a vulnerability in PHP’s XML-RPC support to gain access. The culprit that left the door wide open was the WordPress installation of my German blog. I recently upgraded the software of the blog you’re currently reading to a version that happens to be immune against that attack, but didn’t upgrade the other one. Damn.

I’m hosting several domains and subdomains on this webspace. The attackers replaced all index.php and index.html files in the domain roots with ten-byte-files containing only the word “oldschool”. They also placed a file “lol.html” containing only the word “lol” in one of the subdomains. According to the timestamps on the server, there are no other changes.

This means the damage was easy to fix — I just had to restore a couple of files from backup. I also deleted xmlrpc.php from the old WordPress installation as a workaround for the vulnerability. I’ll upgrade it later.

I poked around the server logs to find out what was going on. Here’s one of the interesting parts of the log for cyganiak.de and its subdomains:

194.72.238.15 - - [03/Sep/2005:21:39:16 +0200] "HEAD / HTTP/1.1" 200 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"
201.4.232.241 - - [03/Sep/2005:21:39:19 +0200] "POST /blog//xmlrpc.php HTTP/1.1" 200 32 "-" "-"
201.4.232.241 - - [03/Sep/2005:21:39:22 +0200] "POST /blog//xmlrpc.php HTTP/1.1" 200 32 "-" "-"
201.4.232.241 - - [03/Sep/2005:21:39:28 +0200] "POST /blog//xmlrpc.php HTTP/1.1" 200 32 "-" "-"
201.4.232.241 - - [03/Sep/2005:21:39:34 +0200] "POST /blog//xmlrpc.php HTTP/1.1" 200 32 "-" "-"
201.4.232.241 - - [03/Sep/2005:21:39:36 +0200] "POST /blog//xmlrpc.php HTTP/1.1" 200 32 "-" "-"
213.219.122.11 - - [03/Sep/2005:21:41:42 +0200] "GET / HTTP/1.0" 200 10 "-" "Wget/1.9.1"
213.219.122.11 - - [03/Sep/2005:21:41:42 +0200] "GET / HTTP/1.0" 401 1695 "-" "Wget/1.9.1"
213.219.122.11 - - [03/Sep/2005:21:41:51 +0200] "GET / HTTP/1.0" 200 10 "-" "Wget/1.9.1"
194.72.238.15 - - [03/Sep/2005:21:42:54 +0200] "HEAD / HTTP/1.1" 200 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"

The first and the last hit is Netcraft, a familiar sight in logfiles all over the world. In between is the exploit: The POSTs to xmlrpc.php execute some evil code on my server. The GETs quite obviously verify the results: The attacker checks if the homepage is gone. Quite a number of similar sequences can be found throughout the logs.

This log trawling told me two things: First, that the attackers came through the old WordPress installation and not one of the other pieces of software I’m running (or through the webhoster’s system). Second, it gave me some of the IP addresses involved. Most of them resolve to brazilian dialup IPs. Zombies.

Except for one, the address that sent the GET requests above. It resolves to zone-h.org. This turns out to belong to a cracker group whose speciality is mass defacement of websites. They apparently have tools that do this kind of stuff automatically, many times every day. They even have an RSS feed of their successful exploits. They appear to be based in Estland.

So it’s just a bunch of script kiddies who take advantage of lazy webmasters in order to brag about it on IRC. I still want someone to kick them in the groin.